Data Breaches: European Union and Canada

A data breach occurs when an individual’s name and medical/financial records are potentially put at risk. Antiquated laws, malicious or criminal attacks, system glitches, and human error are all factors that put individuals’ personal data at risk. Organizations that fail to exercise due care when handling and processing personal data leave themselves vulnerable to costly consequences. In recent years, the EU has been experiencing an increase in legal disputes related to the collection and handling of data. EU organizations located in France, Germany, Italy and the UK spent an average of $3.27m (USD) on data breaches in 2017 per a study performed by Ponemon Institute. Legal fees, compliance failures, use of mobile platforms, and cloud migration are factors that can increase an organization’s cost of a data breach. Legal services related to compliance failures account for 4%-7% of this average total cost. All of these countries, except for Germany, have had an increase in compliance related legal expenditures over the past few years. The privacy law currently in effect in the European Union (EU) is Directive 95/46/EC. It was enacted in 1995, when the internet was in its infancy. It prevents the free flow of personal data across the EU countries. This directive has not been implemented consistently within the EU due to differences in its interpretation across countries. As a result, there are varying levels of personal data protection across the continent. Finally, in May 2018, Directive 95/46/EC will be replaced with the General Data Protection Regulation (GDPR). This new framework, informed by all the changes in the world of cyberspace, will provide uniformity of data protection across the EU and increase all individuals’ rights to control and protect their data. It will become the sole piece of legislation that addresses the appropriate handling and collection of data. This differs from the USA where regulations change based on data type and industry. GDPR represents a major overhaul. Compliance will be closely monitored by a Supervisory Authority. GDPR might be effective in standardizing data protection across the EU. However, this study also discusses the redress that individuals have in the event of a data breach. The private right of class action lawsuits against offending organizations varies among the countries within the EU. For example, in Finland and Hungary, only public authorities hold the right to bring a lawsuit on behalf of affected parties. In contrast, only consumer organizations can file on behalf of groups in Greece and France. The Netherlands allows for both public authorities and consumer organizations to represent affected parties. Bulgaria, Italy, Spain, UK, Germany, Portugal, and Sweden allow for public authorities and individuals to file. Compared to the USA, the EU collective redress pursuits lack strength and uniformity. In order to guard against future data breaches and fulfill the obligation of protecting personal data, organizations must implement preventive measures and put into practice GDPR’s robust compliance standards. These actions would limit an organization’s expenditures and assist in customer retention. Hefty settlements could be minimized and organizations could remain more profitable.